1
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
21.1 Legacy Series / Wireguard restart causes unbound to stop resolving names on FW only.
« on: July 01, 2021, 03:29:12 am »
Unbound is stops working when I try to add WG1, a FQDN based connection. As you can see, I can ping google.com by name. Then I restart wireguard. WG0 comes up but WG1 fails because of DNS. Immediately afterward I can no longer resolve DNS:
Unbound:
Code: [Select]
root@owlhouse:/usr # ping google.com
PING google.com (172.217.5.14): 56 data bytes
64 bytes from 172.217.5.14: icmp_seq=0 ttl=119 time=15.542 ms
64 bytes from 172.217.5.14: icmp_seq=1 ttl=119 time=15.475 ms
64 bytes from 172.217.5.14: icmp_seq=2 ttl=119 time=15.842 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.475/15.620/15.842/0.160 ms
root@owlhouse:/usr # /usr/local/etc/rc.d/wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
wg-quick: `wg1' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 192.168.12.1/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 192.168.12.12/32 -interface wg0
[#] route -q -n add -inet 192.168.12.11/32 -interface wg0
[#] route -q -n add -inet 192.168.12.10/32 -interface wg0
[+] Backgrounding route monitor
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
Name does not resolve: `vaaa.bbb.ccc:51820'
Configuration parsing error
[#] rm -f /var/run/wireguard/wg1.sock
root@owlhouse:/usr # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@owlhouse:/usr #
I can see no errors in syslog. And DNS is working for everything else on the LAN - just not on the FW itself. Is this an unbound problem or a wireguard problem?Unbound:
Code: [Select]
<unbound>
<enable>1</enable>
<custom_options>#server:
#tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853</custom_options>
<dnssec>1</dnssec>
<noreglladdr6>1</noreglladdr6>
<acls>
<aclname>VPN</aclname>
<aclaction>allow</aclaction>
<description/>
<row>
<acl_network>192.168.1.0</acl_network>
<mask>24</mask>
<description/>
</row>
</acls>
<acls>
<aclname>WGaccess</aclname>
<aclaction>allow</aclaction>
<description/>
<row>
<acl_network>192.168.12.0</acl_network>
<mask>24</mask>
<description/>
</row>
<row>
<acl_network>10.11.14.0</acl_network>
<mask>24</mask>
<description/>
</row>
</acls>
</unbound>
3
Virtual private networks / Routed IPSec Tunnel - IPSEC interface is not choosable under gateway
« on: June 28, 2021, 09:36:40 pm »
I am trying to setup a routed IPSEC connection almost verbatim to the guide here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html without success. Under "Step 5 - Define Gateways" it says use interface IPSEC1000, but I can only choose WAN, LAN, OPT1, etc... as the interface for the gateways. The IPSEC interface is created and, for example, available under firewall rules.
I've been through the instructions over and over... Am I missing something that I can't choose IPSEC? Install policy is unchecked for sure.
I've been through the instructions over and over... Am I missing something that I can't choose IPSEC? Install policy is unchecked for sure.
4
21.1 Legacy Series / 503 Service Unavailable
« on: February 15, 2021, 06:08:39 am »
For a while I have been getting a 503 Service Unavailable page after a reboot. A GUI restart with /usr/local/etc/rc.restart_webgui fixed it. Since it only occurred after a reboot and those didn't happen that often, I didn't put much effort into figuring out what was wrong. However now I get them all the time. GUI restart doesn't help. Restarting all services doesn't help. Network traffic seems unaffected and SSH still works. It is only the web GUI than does not work.
I can see a lot of these in lighttpd.log:
php-fpm.log says only:
Something isn't configured right, but where can I look for the problem?
I can see a lot of these in lighttpd.log:
Code: [Select]
Feb 14 22:21:55 home lighttpd[81368]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-1 0 /tmp/php-fastcgi.socket
Feb 14 22:21:55 home lighttpd[81368]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-0 0 /tmp/php-fastcgi.socket
Feb 14 22:21:56 home lighttpd[81368]: (gw_backend.c.238) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-1: Connection refused
Feb 14 22:21:56 home lighttpd[81368]: (gw_backend.c.238) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-0: Connection refused
Feb 14 22:21:56 home lighttpd[81368]: (gw_backend.c.970) all handlers for /widgets/widgets/ntp_status.widget.php?updateme=yes on .php are down.
Code: [Select]
Feb 14 22:21:52 home lighttpd[81368]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-1 0 /tmp/php-fastcgi.socket
Feb 14 22:21:52 home lighttpd[81368]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-0 0 /tmp/php-fastcgi.socket
Feb 14 22:21:53 home lighttpd[81368]: (gw_backend.c.238) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-1: Connection refused
Feb 14 22:21:53 home lighttpd[81368]: (gw_backend.c.238) establishing connection failed: socket: unix:/tmp/php-fastcgi.socket-0: Connection refused
Feb 14 22:21:53 home lighttpd[81368]: (gw_backend.c.970) all handlers for /api/api.php?limit=100 on .php are down.
php-fpm.log says only:
Code: [Select]
[14-Feb-2021 22:01:30] NOTICE: fpm is running, pid 41964
[14-Feb-2021 22:01:30] NOTICE: ready to handle connections
Something isn't configured right, but where can I look for the problem?
5
General Discussion / Tunables - to quote or not to quote
« on: February 05, 2021, 05:56:24 pm »
This seems like a really basic question, but I'm having a hard time finding the answer. When do you use quotes around the value you are setting in Tunables? Does it matter?
I see both scattered around the internet:
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbclusters=32768
I see both scattered around the internet:
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbclusters=32768
6
20.7 Legacy Series / Intrusion Detection
« on: September 02, 2020, 04:22:41 pm »
Download and Install in Intrusion Detection only yields:
Doesn't matter if rules are enabled or disabled, checked or not checked, one rule or many. Rebooted. It will show last updated time as the current time, but no rules are listed under the rules tab.
Log file says " suricata[71351] [100266] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!"
Also, Redis worked for a little while but now the service is stopped and won't restart. Uninstalled and reinstalled and it still won't start. I can' t find any relevant log info for this.
Fairly new install and new to OPNSense after switching from PFsense. Overall much happier with it, particularly the stability. But still having a hard time finding relevant log information. Is there some sort of guide or tutorial to SSH in and look at more detailed log info?
Code: [Select]
Error reconfiguring IDS
Error (1)
Doesn't matter if rules are enabled or disabled, checked or not checked, one rule or many. Rebooted. It will show last updated time as the current time, but no rules are listed under the rules tab.
Log file says " suricata[71351] [100266] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!"
Also, Redis worked for a little while but now the service is stopped and won't restart. Uninstalled and reinstalled and it still won't start. I can' t find any relevant log info for this.
Fairly new install and new to OPNSense after switching from PFsense. Overall much happier with it, particularly the stability. But still having a hard time finding relevant log information. Is there some sort of guide or tutorial to SSH in and look at more detailed log info?
Pages: [1]